Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] [help,urgent] Using PCRE to match packets in hex
1,007 views
Skip to first unread message
Yoyo Lam
Oct 27, 2013, 2:39:59 PM10/27/13
to
Hello experts,
I have a problem about PCRE. I wrote a PCRE pattern that perfectly matches a certain message, and I checked in some regex checker and there is no problem. But when I put it in a Snort rule with the B modifier, it doesn't work. Please help me to figure what happened.
The PCRE Check page:
My Snort rule:
alert tcp any any -> any any (pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773|6c696e7578)/B"; msg:"Some message"; sid:1234567; rev:1;)
Please help me by either
1) Telling me what I have forgotten to add/change/remove;
2) Give me the working rule :D
3) Any way that can solve this fast
This is quite urgent, so please help me asap.
Best regards,
Yoyo
Jeremy Hoel
Oct 27, 2013, 2:56:32 PM10/27/13
to
Without a pcap of the data you're trying to hit on its hard to tell.. but this section mentions you might want a content part of the rule also.
http://manual.snort.org/node32.html#SECTION004523200000000000000
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
waldo kitty
Oct 27, 2013, 4:48:14 PM10/27/13
to
On 10/27/2013 3:33 PM, Yoyo Lam wrote:
> I didn't use content since I don't really get how to use it properly, and with
> my programming experience, I am more familiar with regex. And it seems that
> using pcre alone is ok. (not thoroughly tested)
yes you really do need content to match on and then regex performs more checking
either on the same content or other data in the same buffer...
in your pcre you have "13", "77696e646f7773" and "6c696e7578" that you could use
content on...
theory eg: content: 13; content: 77696e646f7773; distance: 46; your_pcre_here
if i'm reading your regex properly, you are looking for
2 characters 0-9 or a-f or A-F
13
2 characters 0-9 or a-f or A-F
the above three parts repeated 8 times
77696e646f7773 or 6c696e7578
is this correct? if so, the content looking for 13 followed 46 bytes later with
another content looking for 77696e646f7773 should match on those packets and
then the pcre would refine the match and fire...
i think you will need two rules the same but with the second content match being
6c696e7578 to catch those because i'm not aware of a way of specifying OR with
content... this would also allow you to alter the last part of your pcre to
contain only one or the other match depending on which rule it is...
eg:
alert tcp any any -> any any (msg:"Some message"; content: 13; content:
77696e646f7773; distance: 46;
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773)/B"; sid:1234567;
rev:1;)
alert tcp any any -> any any (msg:"Some message"; content: 13; content:
77696e646f7773; distance: 46;
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(6c696e7578)/B"; sid:1234567; rev:1;)
i've written the above off the top of my head with no testing at all (and no
data to test against)... i think it will give you what you need to understand
about content matches... the only other thing is if those parts are character
strings or if they are byte sequences... if they are by sequences, then the
content format would change slightly...
another small formatting hint is that you should start the parameters of your
rules with the MSG section and then follow with your content, pcre, and other
parameters as needed (references, sid, rev)...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
> I didn't use content since I don't really get how to use it properly, and with
> my programming experience, I am more familiar with regex. And it seems that
> using pcre alone is ok. (not thoroughly tested)
yes you really do need content to match on and then regex performs more checking
either on the same content or other data in the same buffer...
in your pcre you have "13", "77696e646f7773" and "6c696e7578" that you could use
content on...
theory eg: content: 13; content: 77696e646f7773; distance: 46; your_pcre_here
if i'm reading your regex properly, you are looking for
2 characters 0-9 or a-f or A-F
13
2 characters 0-9 or a-f or A-F
the above three parts repeated 8 times
77696e646f7773 or 6c696e7578
is this correct? if so, the content looking for 13 followed 46 bytes later with
another content looking for 77696e646f7773 should match on those packets and
then the pcre would refine the match and fire...
i think you will need two rules the same but with the second content match being
6c696e7578 to catch those because i'm not aware of a way of specifying OR with
content... this would also allow you to alter the last part of your pcre to
contain only one or the other match depending on which rule it is...
eg:
alert tcp any any -> any any (msg:"Some message"; content: 13; content:
77696e646f7773; distance: 46;
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773)/B"; sid:1234567;
rev:1;)
alert tcp any any -> any any (msg:"Some message"; content: 13; content:
77696e646f7773; distance: 46;
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(6c696e7578)/B"; sid:1234567; rev:1;)
i've written the above off the top of my head with no testing at all (and no
data to test against)... i think it will give you what you need to understand
about content matches... the only other thing is if those parts are character
strings or if they are byte sequences... if they are by sequences, then the
content format would change slightly...
another small formatting hint is that you should start the parameters of your
rules with the MSG section and then follow with your content, pcre, and other
parameters as needed (references, sid, rev)...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
JJ Cummings
Oct 27, 2013, 4:49:47 PM10/27/13
to
Even if using regex you need a content anchor... It is considered best practice and helps dramatically in terms of performance and overall rule overhead!
Sent from the iRoad
Sent from the iRoad
These would be samples for checking. They are fetched using Wireshark. You can find it at the first packets to 130.37.198.87.A sample of packet that I want to match is already in the regex site I put before.I thought there would be no problem to my packet. I just want to know how to use my pattern to match against the hex dump of the packet.
I didn't use content since I don't really get how to use it properly, and with my programming experience, I am more familiar with regex. And it seems that using pcre alone is ok. (not thoroughly tested)
Yoyo
Without a pcap of the data you're trying to hit on its hard to tell.. but this section mentions you might want a content part of the rule also.
http://manual.snort.org/node32.html#SECTION004523200000000000000
On Oct 27, 2013 12:43 PM, "Yoyo Lam" <mtc...@gmail.com> wrote:
Hello experts,I have a problem about PCRE. I wrote a PCRE pattern that perfectly matches a certain message, and I checked in some regex checker and there is no problem. But when I put it in a Snort rule with the B modifier, it doesn't work. Please help me to figure what happened.The PCRE Check page:My Snort rule:alert tcp any any -> any any (pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773|6c696e7578)/B"; msg:"Some message"; sid:1234567; rev:1;)
Please help me by either1) Telling me what I have forgotten to add/change/remove;2) Give me the working rule :D3) Any way that can solve this fastThis is quite urgent, so please help me asap.Best regards,Yoyo
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
<drop.pcapng>
<drop2.pcapng>
rmkml
Oct 27, 2013, 4:23:29 PM10/27/13
to
Hi Yoyo and Jeremy,
Well it's not easy too create rule for unknown network traffic,
this sig work for two pcap submitted:
alert tcp any any -> any any (msg:"Some message"; flow:to_server,established; content:"|11 13|"; depth:2; pcre:"/^\x11\x13.{8}(?:windows|linux)/s"; sid:1234567; rev:2;)
Don't remember look checksum or not... (-k none)
Best Regards
@Rmkml
Well it's not easy too create rule for unknown network traffic,
this sig work for two pcap submitted:
alert tcp any any -> any any (msg:"Some message"; flow:to_server,established; content:"|11 13|"; depth:2; pcre:"/^\x11\x13.{8}(?:windows|linux)/s"; sid:1234567; rev:2;)
Don't remember look checksum or not... (-k none)
Best Regards
@Rmkml
Yoyo Lam
Oct 27, 2013, 6:30:37 PM10/27/13
to
Thanks for all your help,
Sorry for misleading you with the packets. I only got the packets on the windows version, I don't have the linux ones.
My issue is that I cannot use the regex with Snort.
And the format of this particular request is like this (in hex form):
[1 byte of message length in hex]13[8 bytes of random hex][windows/linux in hex]
The only thing which would be consistent throughout packets will be 13.
Therefore @rmkml, to make the first byte with 11 will not work.
@Cummings, I know that content should be added, but I can't figure how it works from the docs. For example, about how I can confirm that a particular byte is something, and how to use multiple contents with offset and depth. BTW I don't care about performance, since this is not for production. But thanks for the advice.
@Waldo Kitty The data I want to match is bytecode (binary data in hex form, please refer to docs*), therefore I tried the B after the delimiter to see if it works. I don't think it would be possible to wrap | around the regex to make it match bytecode.
*"Bytecode represents binary data as hexadecimal numbers and is a good shorthand method for describing complex binary data."
This is my modified version with reference to yours:
alert tcp any any -> any any (msg:"Some message"; content:|13|; offset:1;
pcre:"/([0-9a-fA-F]{2}\s)13\s([0-9a-fA-F]{2}\s){8}(77\s69\s6e\s64\s6f\s77\s73|6c\s69\s6e\s75\s78)/B"; sid:1234567;
rev:1;)
pcre:"/([0-9a-fA-F]{2}\s)13\s([0-9a-fA-F]{2}\s){8}(77\s69\s6e\s64\s6f\s77\s73|6c\s69\s6e\s75\s78)/B"; sid:1234567;
rev:1;)
Regex explained:
([0-9a-fA-F]{2}\s)13\s([0-9a-fA-F]{2}\s){8}(77\s69\s6e\s64\s6f\s77\s73|6c\s69\s6e\s75\s78)
([0-9a-fA-F]{2}\s) Matches 1 byte with 1 whitespace
13\s Matches 13 with 1 whitespace
([0-9a-fA-F]{2}\s){8} Matches 8 bytes seperated with 1 whitespace
(77\s69\s6e\s64\s6f\s77\s73|6c\s69\s6e\s75\s78) Matches the bytecode of either *windows* or *linux* (You can take away the \s and put it into a hex to ascii converter)
Therefore this regex pattern will match something like this: (a linux sample)
0e 13 12 34 56 78 ab cd ef 00 6c 69 6e 75 78
My problem is how do Snort represents bytecode. I can think of 3 methods:
0e1312345678abcdef006c696e7578
0e 13 12 34 56 78 ab cd ef 00 6c 69 6e 75 78
0e:13:12:34:56:78:ab:cd:ef:00:6c:69:6e:75:78
I want to know which is the one.
Since it is late here, I will do the testing tomorrow and give you the results.
btw thanks for the formatting tips :)
Regards,
Yoyo
On 10/27/2013 3:33 PM, Yoyo Lam wrote:
> I didn't use content since I don't really get how to use it properly, and with
> my programming experience, I am more familiar with regex. And it seems that
> using pcre alone is ok. (not thoroughly tested)
yes you really do need content to match on and then regex performs more checking
either on the same content or other data in the same buffer...
in your pcre you have "13", "77696e646f7773" and "6c696e7578" that you could use
content on...
theory eg: content: 13; content: 77696e646f7773; distance: 46; your_pcre_here
if i'm reading your regex properly, you are looking for
2 characters 0-9 or a-f or A-F
13
2 characters 0-9 or a-f or A-F
the above three parts repeated 8 times
77696e646f7773 or 6c696e7578
is this correct? if so, the content looking for 13 followed 46 bytes later with
another content looking for 77696e646f7773 should match on those packets and
then the pcre would refine the match and fire...
i think you will need two rules the same but with the second content match being
6c696e7578 to catch those because i'm not aware of a way of specifying OR with
content... this would also allow you to alter the last part of your pcre to
contain only one or the other match depending on which rule it is...
eg:
alert tcp any any -> any any (msg:"Some message"; content: 13; content:
77696e646f7773; distance: 46;
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773)/B"; sid:1234567;
rev:1;)
alert tcp any any -> any any (msg:"Some message"; content: 13; content:
77696e646f7773; distance: 46;
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(6c696e7578)/B"; sid:1234567; rev:1;)
i've written the above off the top of my head with no testing at all (and no
data to test against)... i think it will give you what you need to understand
about content matches... the only other thing is if those parts are character
strings or if they are byte sequences... if they are by sequences, then the
content format would change slightly...
another small formatting hint is that you should start the parameters of your
rules with the MSG section and then follow with your content, pcre, and other
parameters as needed (references, sid, rev)...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
Yoyo Lam
Oct 27, 2013, 6:37:18 PM10/27/13
to
Just to clarify so that no one thinks I am stuck with pcre regex:
My problem is not with regex expression. Unless I am wrong (In this case please kindly point it out), there is no problem with it.
It is about the representation of bytecode in Snort. I guess it's the second one, but I'm not sure.
And thank you very much for all your help. I feel honoured.
rmkml
Oct 27, 2013, 6:36:50 PM10/27/13
to
new version:
alert tcp any any -> any any (msg:"Some message"; flow:to_server,established; content:"|13|"; offset:1; pcre:"/^[\x0F\x11]\x13.{8}(?:windows|linux)/s"; sid:1234567; rev:3;)
@Rmkml
On Sun, 27 Oct 2013, Yoyo Lam wrote:
alert tcp any any -> any any (msg:"Some message"; flow:to_server,established; content:"|13|"; offset:1; pcre:"/^[\x0F\x11]\x13.{8}(?:windows|linux)/s"; sid:1234567; rev:3;)
@Rmkml
On Sun, 27 Oct 2013, Yoyo Lam wrote:
rmkml
Oct 27, 2013, 6:45:40 PM10/27/13
to
oops I'm curious when your linux sample:
@Rmkml
0e 13 12 34 56 78 ab cd ef 00 6c 69 6e 75 78
Are you sure it's \x0e ? because "linux" length is \x0f...
@Rmkml
Yoyo Lam
Oct 27, 2013, 6:56:33 PM10/27/13
to
Oops got it wrong (just thought it in mind perhaps I really got old) it’s 0f, and will try your rule tomorrow thank you.
Yoyo Lam
Oct 28, 2013, 6:44:36 AM10/28/13
to
Sorry guys it is still not working.
@Rmkml
On Sun, 27 Oct 2013, Yoyo Lam wrote:
Yoyo Lam
Oct 28, 2013, 6:46:19 AM10/28/13
to
Stupid me. It works after I changed the \x0e to \x0f.
Thank you everyone for working on this. Thank you!
Yoyo
0 new messages